Hackers gained access to UMass info

Friday

Aug 21, 2009 at 6:00 AMAug 21, 2009 at 10:50 AM

By Priyanka Dayal TELEGRAM & GAZETTE STAFF

Nearly a year ago, hackers broke into a computer server that contained Social Security numbers and “a very limited amount of” credit card information for graduates of University of Massachusetts at Amherst, the university announced recently.

There is no evidence that any personal information was stolen, according to UMass. Hackers gained access to one server on the university’s computer system, which held information of students who attended UMass between 1982 and 2002, as well as a few who attended before 1982. A UMass spokesman declined to say how many people’s records were exposed, except that it was “a large number” of undergraduate and graduate students who attended the university during the 20-year period.

Breaks into the server occurred from Sept. 15 to Oct. 27 of last year, with the most vulnerability on Sept. 15 and Sept. 16, said John Dubach, chief information officer, in a statement posted on UMass’ Web site.

The statement was posted online Aug. 5, and UMass placed legal ads that ran for seven days during the last two weeks in the Telegram & Gazette, The Republican of Springfield and the Boston Globe. The notification, which is required by the attorney general’s office, came 11 months after the electronic intrusion, even though the UMass Office of Information Technology was aware of the breach last fall.

Patrick J. Callahan, a university spokesman, said the notification was delayed until investigators could determine what information was on the vulnerable computer. That took several months.

“They were aware of the breach, but they weren’t aware of everything that was on the computer,” he said. “They had to pull it apart.”

The hackers have not been identified, and the investigation continues.

In May, UMass hired consultants from Stroz Friedberg, a major computer forensics company, who confirmed that the intruders’ attack was not specifically designed to look for personal information. But the potential for loss of data did exist for a short time, according to the university’s statement.

Along with that statement, a copy of the legal ad and a list of frequently asked questions are posted at www.umass.edu. The legal ad states that victims have the right to obtain any other police reports filed in the incident. They also have the right to put a security freeze on their credit reports.

One police report regarding the data breach has been filed with university police, according to Mr. Callahan. The report was not immediately available yesterday.

Kerry Mulcahy, a high school English teacher in Worcester, got an undergraduate degree from UMass in 2002 and a graduate degree two years later. She’s an elected member to the alumni board, but she hadn’t heard about the security breach until contacted for this story. Now she’s thinking about getting a new credit card or bank card.

“I think they could have made a better effort to notify the base,” she said. “It was back in October and they released a statement Aug. 5? That’s too much time.”

UMass has provided a phone number for anyone who wants more information about the breach. Andrew Vernon, manager of the help desk at the university’s IT office, picked up that line. He said he has received only a few calls from concerned people. “We like to hope the information on our Web site is sufficient,” he said.

Last fall’s incident was not the first time hackers attacked UMass. There have been computer breaches before, including one on April 11, 2008, when someone broke into the health services department’s computer network, Mr. Callahan said.

The university says it already has taken steps to improve security, such as providing better training for system administrators and increasing efforts to identify all computers that contain personal information.

News of the computer breach at UMass comes as authorities this week accused 28-year-old Albert Gonzalez of stealing more than 130 million credit card numbers from various retailers. He’s also accused of stealing 40 million credit card numbers in Massachusetts. Computer breaches and identity theft are increasingly common, authorities say. Paul Stephens, director of policy and advocacy at the San Diego-based Privacy Rights Clearinghouse, said intrusions also are common at universities.

“It’s a combination of data not being sufficiently secure, and the fact that hackers are probably always two steps ahead of security people,” he said.

The clearinghouse keeps a list all major, known security breaches in the United States since January 2005. The list includes instances of hacking at Boston College and Tufts University in 2005.

In 2006, a laptop holding personal information for 196,000 people was stolen from Fidelity Investments in Boston. And last year, a laptop that held information for 30,000 people was stolen from Fallon Community Health Plan in Worcester. In both those cases, and in the breach at UMass, Social Security numbers were vulnerable.

“If there are Social Security numbers involved, we consider that to be the highest risk,” Mr. Stephens said. “We recommend people should take high precautions.”